Created
January 26, 2026 10:01
-
-
Save AvasDream/020ca16d72226213aec94a3a7f2844e6 to your computer and use it in GitHub Desktop.
π Clawdbot Security Self-Audit Script - Check if your instance is exposed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Clawdbot Security Self-Audit Script | |
| # Run this on any Clawdbot instance to check exposure | |
| set -e | |
| echo "ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ" | |
| echo "β CLAWDBOT SECURITY SELF-AUDIT β" | |
| echo "ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ" | |
| echo "" | |
| PASS=0 | |
| WARN=0 | |
| FAIL=0 | |
| check() { | |
| local name="$1" | |
| local status="$2" | |
| local msg="$3" | |
| case "$status" in | |
| pass) echo " β $msg"; ((PASS++)) ;; | |
| warn) echo " β οΈ $msg"; ((WARN++)) ;; | |
| fail) echo " β $msg"; ((FAIL++)) ;; | |
| esac | |
| } | |
| # Get external IP | |
| MY_IP=$(curl -s -4 ifconfig.me 2>/dev/null || echo "unknown") | |
| echo "π External IP: $MY_IP" | |
| echo "" | |
| # 1. Gateway Binding | |
| echo "1οΈβ£ GATEWAY BINDING" | |
| echo "βββββββββββββββββββββββββββββββββββββββββ" | |
| BIND=$(ss -tlnp 2>/dev/null | grep 18789 | head -1 | awk '{print $4}') | |
| if [ -z "$BIND" ]; then | |
| check "bind" "warn" "Gateway not running or not on port 18789" | |
| elif echo "$BIND" | grep -qE "127.0.0.1|localhost|\[::1\]"; then | |
| check "bind" "pass" "Gateway bound to localhost only ($BIND)" | |
| elif echo "$BIND" | grep -qE "0.0.0.0|\[::\]"; then | |
| check "bind" "fail" "Gateway bound to ALL interfaces ($BIND)" | |
| else | |
| check "bind" "warn" "Gateway binding: $BIND" | |
| fi | |
| echo "" | |
| # 2. External Port Check | |
| echo "2οΈβ£ EXTERNAL PORT ACCESS" | |
| echo "βββββββββββββββββββββββββββββββββββββββββ" | |
| if [ "$MY_IP" != "unknown" ]; then | |
| if timeout 3 bash -c "echo >/dev/tcp/$MY_IP/18789" 2>/dev/null; then | |
| check "port" "fail" "Port 18789 is OPEN externally!" | |
| else | |
| check "port" "pass" "Port 18789 is CLOSED externally" | |
| fi | |
| else | |
| check "port" "warn" "Could not determine external IP" | |
| fi | |
| echo "" | |
| # 3. mDNS | |
| echo "3οΈβ£ mDNS EXPOSURE" | |
| echo "βββββββββββββββββββββββββββββββββββββββββ" | |
| if pgrep -x avahi-daemon > /dev/null 2>&1; then | |
| if avahi-browse -apt 2>/dev/null | grep -qi clawdbot; then | |
| check "mdns" "warn" "Clawdbot service advertised via mDNS" | |
| else | |
| check "mdns" "pass" "Avahi running but no Clawdbot service advertised" | |
| fi | |
| else | |
| check "mdns" "pass" "Avahi/mDNS not running" | |
| fi | |
| echo "" | |
| # 4. Authentication | |
| echo "4οΈβ£ AUTHENTICATION" | |
| echo "βββββββββββββββββββββββββββββββββββββββββ" | |
| CONFIG_FILE="${HOME}/.clawdbot/clawdbot.json" | |
| if [ -f "$CONFIG_FILE" ]; then | |
| if grep -q '"gatewayToken"' "$CONFIG_FILE" 2>/dev/null; then | |
| TOKEN=$(grep '"gatewayToken"' "$CONFIG_FILE" | grep -oP ':\s*"\K[^"]+' 2>/dev/null || echo "") | |
| if [ ${#TOKEN} -ge 32 ]; then | |
| check "auth" "pass" "Gateway token configured (${#TOKEN} chars)" | |
| elif [ ${#TOKEN} -ge 16 ]; then | |
| check "auth" "warn" "Gateway token is short (${#TOKEN} chars, recommend 32+)" | |
| else | |
| check "auth" "fail" "Gateway token is too short (${#TOKEN} chars)" | |
| fi | |
| else | |
| check "auth" "warn" "No gateway token in config (using session-based auth)" | |
| fi | |
| else | |
| check "auth" "warn" "Config file not found at $CONFIG_FILE" | |
| fi | |
| echo "" | |
| # 5. File Permissions | |
| echo "5οΈβ£ FILE PERMISSIONS" | |
| echo "βββββββββββββββββββββββββββββββββββββββββ" | |
| if [ -f "$CONFIG_FILE" ]; then | |
| PERM=$(stat -c "%a" "$CONFIG_FILE" 2>/dev/null || echo "unknown") | |
| if [ "$PERM" = "600" ] || [ "$PERM" = "400" ]; then | |
| check "perm" "pass" "Config file permissions: $PERM" | |
| elif [ "$PERM" = "644" ] || [ "$PERM" = "640" ]; then | |
| check "perm" "warn" "Config file readable by group/others: $PERM" | |
| else | |
| check "perm" "warn" "Config file permissions: $PERM" | |
| fi | |
| fi | |
| echo "" | |
| # 6. Firewall | |
| echo "6οΈβ£ FIREWALL" | |
| echo "βββββββββββββββββββββββββββββββββββββββββ" | |
| if command -v ufw &> /dev/null; then | |
| UFW_ENABLED=$(sudo ufw status 2>/dev/null | grep -q "Status: active" && echo "yes" || echo "no") | |
| if [ "$UFW_ENABLED" = "yes" ]; then | |
| if sudo ufw status 2>/dev/null | grep -q "18789.*ALLOW"; then | |
| check "fw" "warn" "UFW active but port 18789 explicitly allowed" | |
| else | |
| check "fw" "pass" "UFW active, port 18789 not explicitly allowed" | |
| fi | |
| else | |
| check "fw" "warn" "UFW installed but not active" | |
| fi | |
| else | |
| check "fw" "warn" "UFW not installed" | |
| fi | |
| echo "" | |
| # Summary | |
| echo "βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ" | |
| echo "SUMMARY" | |
| echo "βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ" | |
| echo " β Passed: $PASS" | |
| echo " β οΈ Warnings: $WARN" | |
| echo " β Failed: $FAIL" | |
| echo "" | |
| if [ $FAIL -gt 0 ]; then | |
| echo "π΄ ACTION REQUIRED: Fix the failed checks above!" | |
| exit 1 | |
| elif [ $WARN -gt 0 ]; then | |
| echo "π‘ Review the warnings above for potential improvements." | |
| exit 0 | |
| else | |
| echo "π’ All checks passed! Your Clawdbot instance is well-secured." | |
| exit 0 | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment